CVE-2024-41947 - OpenCVE

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. By creating a conflict when another user with more rights is currently editing a page, it is possible to execute JavaScript snippets on the side of the other user, which compromises the confidentiality, integrity and availability of the whole XWiki installation. This has been patched in XWiki 15.10.8 and 16.3.0RC1.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation poc

Automatable no

Technical Impact total

Vendors	Products
Xwiki	Xwiki

Configuration 1 [-]

OR	cpe:2.3:a:xwiki:xwiki::::::::
	cpe:2.3:a:xwiki:xwiki::::::::

No data.

References

Link	Providers
https://github.com/xwiki/xwiki-platform/commit/821d43ec45e67d45a6735a0717b9b77fffc1cd9f
https://github.com/xwiki/xwiki-platform/commit/e00e159d3737397eebd1f6ff925c1f5cb7cdec34
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-692v-783f-mg8x
https://jira.xwiki.org/browse/XWIKI-21626

History

Fri, 06 Sep 2024 21:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-79

Tue, 13 Aug 2024 14:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Xwiki xwiki
CPEs	cpe:2.3:a:xwiki:xwiki-platform::::::::	cpe:2.3:a:xwiki:xwiki::::::::
Vendors & Products	Xwiki xwiki-platform	Xwiki xwiki

Mon, 12 Aug 2024 20:30:00 +0000

Type	Values Removed	Values Added
CPEs	cpe:2.3:a:xwiki:xwiki-platform:11.8-rc-1:::::::* cpe:2.3:a:xwiki:xwiki-platform:16.0.0-rc-1:::::::*	cpe:2.3:a:xwiki:xwiki-platform::::::::

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-07-31T15:24:20.271Z

Updated: 2024-08-13T13:36:59.723Z

Reserved: 2024-07-24T16:51:40.948Z

Link: CVE-2024-41947

Vulnrichment

Updated: 2024-07-31T15:58:30.116Z

NVD

Status : Analyzed

Published: 2024-07-31T16:15:04.540

Modified: 2024-09-06T20:46:01.477

Link: CVE-2024-41947

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-41947", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-07-24T16:51:40.948Z", "datePublished": "2024-07-31T15:24:20.271Z", "dateUpdated": "2024-08-13T13:36:59.723Z"}, "containers": {"cna": {"title": "XWiki Platform XSS through conflict resolution", "problemTypes": [{"descriptions": [{"cweId": "CWE-80", "lang": "en", "description": "CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-692v-783f-mg8x", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-692v-783f-mg8x"}, {"name": "https://github.com/xwiki/xwiki-platform/commit/821d43ec45e67d45a6735a0717b9b77fffc1cd9f", "tags": ["x_refsource_MISC"], "url": "https://github.com/xwiki/xwiki-platform/commit/821d43ec45e67d45a6735a0717b9b77fffc1cd9f"}, {"name": "https://github.com/xwiki/xwiki-platform/commit/e00e159d3737397eebd1f6ff925c1f5cb7cdec34", "tags": ["x_refsource_MISC"], "url": "https://github.com/xwiki/xwiki-platform/commit/e00e159d3737397eebd1f6ff925c1f5cb7cdec34"}, {"name": "https://jira.xwiki.org/browse/XWIKI-21626", "tags": ["x_refsource_MISC"], "url": "https://jira.xwiki.org/browse/XWIKI-21626"}], "affected": [{"vendor": "xwiki", "product": "xwiki-platform", "versions": [{"version": ">= 11.8-rc-1, < 15.10.8", "status": "affected"}, {"version": ">= 16.0.0-rc-1, < 16.3.0-rc-1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-07-31T15:24:20.271Z"}, "descriptions": [{"lang": "en", "value": "XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. By creating a conflict when another user with more rights is currently editing a page, it is possible to execute JavaScript snippets on the side of the other user, which compromises the confidentiality, integrity and availability of the whole XWiki installation. This has been patched in XWiki 15.10.8 and 16.3.0RC1."}], "source": {"advisory": "GHSA-692v-783f-mg8x", "discovery": "UNKNOWN"}}, "adp": [{"affected": [{"vendor": "xwiki", "product": "xwiki", "cpes": ["cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "11.8-rc-1", "status": "affected", "lessThan": "15.10.8", "versionType": "custom"}, {"version": "16.0.0-rc-1", "status": "affected", "lessThan": "16.3.0-rc-1", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-07-31T15:55:49.598423Z", "id": "CVE-2024-41947", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-13T13:36:59.723Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-41947", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-07-31T15:55:49.598423Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*"], "vendor": "xwiki", "product": "xwiki", "versions": [{"status": "affected", "version": "11.8-rc-1", "lessThan": "15.10.8", "versionType": "custom"}, {"status": "affected", "version": "16.0.0-rc-1", "lessThan": "16.3.0-rc-1", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-31T15:58:30.116Z"}}], "cna": {"title": "XWiki Platform XSS through conflict resolution", "source": {"advisory": "GHSA-692v-783f-mg8x", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "xwiki", "product": "xwiki-platform", "versions": [{"status": "affected", "version": ">= 11.8-rc-1, < 15.10.8"}, {"status": "affected", "version": ">= 16.0.0-rc-1, < 16.3.0-rc-1"}]}], "references": [{"url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-692v-783f-mg8x", "name": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-692v-783f-mg8x", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/xwiki/xwiki-platform/commit/821d43ec45e67d45a6735a0717b9b77fffc1cd9f", "name": "https://github.com/xwiki/xwiki-platform/commit/821d43ec45e67d45a6735a0717b9b77fffc1cd9f", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/xwiki/xwiki-platform/commit/e00e159d3737397eebd1f6ff925c1f5cb7cdec34", "name": "https://github.com/xwiki/xwiki-platform/commit/e00e159d3737397eebd1f6ff925c1f5cb7cdec34", "tags": ["x_refsource_MISC"]}, {"url": "https://jira.xwiki.org/browse/XWIKI-21626", "name": "https://jira.xwiki.org/browse/XWIKI-21626", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. By creating a conflict when another user with more rights is currently editing a page, it is possible to execute JavaScript snippets on the side of the other user, which compromises the confidentiality, integrity and availability of the whole XWiki installation. This has been patched in XWiki 15.10.8 and 16.3.0RC1."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-80", "description": "CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-07-31T15:24:20.271Z"}}}, "cveMetadata": {"cveId": "CVE-2024-41947", "state": "PUBLISHED", "dateUpdated": "2024-08-13T13:36:59.723Z", "dateReserved": "2024-07-24T16:51:40.948Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-07-31T15:24:20.271Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*", "matchCriteriaId": "B17E1B0C-1A3C-48A9-80A5-22AD0EFC15AB", "versionEndExcluding": "15.10.8", "versionStartIncluding": "11.8", "vulnerable": true}, {"criteria": "cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*", "matchCriteriaId": "57BAD7E7-E9E4-4960-9F94-895F252BB527", "versionEndExcluding": "16.3.0", "versionStartIncluding": "16.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. By creating a conflict when another user with more rights is currently editing a page, it is possible to execute JavaScript snippets on the side of the other user, which compromises the confidentiality, integrity and availability of the whole XWiki installation. This has been patched in XWiki 15.10.8 and 16.3.0RC1."}, {"lang": "es", "value": " XWiki Platform es una plataforma wiki gen\u00e9rica que ofrece servicios de ejecuci\u00f3n para aplicaciones creadas sobre ella. Al crear un conflicto cuando otro usuario con m\u00e1s derechos est\u00e1 editando una p\u00e1gina, es posible ejecutar fragmentos de JavaScript del otro usuario, lo que compromete la confidencialidad, integridad y disponibilidad de toda la instalaci\u00f3n de XWiki. Esto ha sido parcheado en XWiki 15.10.8 y 16.3.0RC1."}], "id": "CVE-2024-41947", "lastModified": "2024-09-06T20:46:01.477", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 6.0, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2024-07-31T16:15:04.540", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/xwiki/xwiki-platform/commit/821d43ec45e67d45a6735a0717b9b77fffc1cd9f"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/xwiki/xwiki-platform/commit/e00e159d3737397eebd1f6ff925c1f5cb7cdec34"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-692v-783f-mg8x"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking", "Vendor Advisory"], "url": "https://jira.xwiki.org/browse/XWIKI-21626"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-80"}], "source": "security-advisories@github.com", "type": "Secondary"}]}